Well, I wanted to write this up, share whats going on with me recently and seek feedback.

As you probably are not aware, I moved into an actual security job this year, earlier in my career than I expected. I went from sys admin to intrusion analyst. I am honored to have this opportunity and I feel I am learning a bit. But there are some issues.

I don't feel that I am where I should be knowledge wise. Some of the guys I work with are 2 steps away from the GSE, or self taught experts as far as I can see, with a knowledge of programming and who knows what else.

I don't know where I should be focusing my studies. I've met the job requirements as far as certifications, so i'd like to get on the same level of knowledge as my coworkers. As noted, some have the SANS level experience, many came from other companies where they did this type of work before. I've been split all around with feeling that I should do what I can to be an well rounded network defender but unsure how to go about it. I spent all kinds of time and money getting the CCENT so I could pursue the CCNA Security but I don't think that cert will be particularly helpful in teaching me much outside of Cisco, CCP is all point and click.

So I said I would try to learn fundamentals. Right now i'm 25% into Firewall Fundamentals (http://www.amazon.com/Firewall-Fundamen ... 1587052210). So far i'm familiar with whats been covered. I do wonder if mixed with this and something else I could possibly challenge the CPPA (Formerly GCFW)

Next I suppose I should focus on IDS analysis I'm going to have to redo this security onion install, I havent used the PC in months and have forgotten most of the passwords. If you guys haven't tried Security Onion, its great... if you like to use linux. It still takes an act of gods to get things running for the first time, and IDK if I should be using Snorby, ELSA, Sguil, or Squert. I still have no idea why no one has created a usable snort frontend for modern windows. If anyone can point me to one and preferably a walkthrough for installing whatever else will likely have to be installed along with it, feel free. Everything I've found is 10 years old or doesnt use a frontend. #snort on freenode has been useless, a bunch of people autologged into the channel with no activity.

And then of course there's SANS. I could likely take a SANS course and learn a huge deal. Right now i'm leaning towards Sec 501 (GCED) it seems to cover some good stuff.

Anyway in short, thats where I am today, I'm doin what I can right now, reinstalling SO so I can try to learn some analysis and maybe create and test some snort rules. I suppose i'll try to keep this thread updated if anyone is interested.

If you really want to learn how things work, don't even bother with GUIs. Just start with a plain Debian (or whatever you prefer) install and install Snort, tcpdump, and any related dependencies. The official Snort guide is current, comprehensive, and well-written, definitely not ~10 years old.

Configure this system in a manner where it can observe traffic between other hosts on the network. It doesn't matter whether you SPAN traffic off of physical hardware or observe an internal virtual network in a virtual environment.

Setup an attacking system and a few vulnerable systems, and learn how to write Snort signatures, advanced tcpdump filters, etc. Don't rely on alerts alone; load up your pcaps in Wireshark and learn how to use Wireshark's filtering and analysis capabilities.

Learn to use Scapy on the attacking side, which can allow you to test specific filters and signatures. If you don't know Python, well, learn Python too.

This book is a fantastic reference and should be owned by anyone doing low-level network analysis: http://www.tcpipguide.com/ (also sold on Amazon). The official Wireshark book is also fantastic as well. It walks you through many common protocols and shows you how to analyze them. You don't just learn how to use Wireshark, but also how those protocols work as well. I wrote a review of the first edition here several years ago.

As always, i'm all over the place. One day i'm doing IDS, the next malware analysis (See my blog for more info). Anyway, I likely will do something to that effect in the future. I'm not familiar with debian at all, and I understand there are some differences on how Kali works in debian.

At this point I want to build a good plan for moving forward. I'm thinking a monthly plan for what I want to learn or do in that month.

As far as Sec 501 vs. 503, nothing has been decided yet, but where I am right now, i'm trying to get an all around net defense knowledge base from where I can go. 501 covers everything I'm doing/interested in doing right now, Def network Infrastructure, packet analysis, malware. 503 is straight intrusion detection. I think I may pigeon hole myself if I go there immediately, not to mention I think i'll need to immerse myself into that slowly, hex analysis and tearing down packets at the bit level. I've never liked numbers so i'm trying to lower myself into the waters.